Email or username:

Password:

Forgot your password?
Top-level
inference
@iska @safiuddinkhan @cyberspook @m0xee @dushman Because no Linux hardware other than Android is really using HSMs or TEEs with verified boot. The only company I know which does that is Google, using the Titan.
11 comments
Iska :emacs_thinking:​ :guix: replied to inference

@inference @safiuddinkhan @cyberspook @m0xee @dushman

Verified boot is not a requirement for android, and exists in standard PCs.

inference replied to Iska :emacs_thinking:​ :guix:
@iska @safiuddinkhan @cyberspook @m0xee @dushman Verified boot does not exist in normal PCs. Verified boot is not the same as secure boot, it is an extra layer above which protects the OS integrity, not just checking the bootloader signature. You are very wrong.
Iska :emacs_thinking:​ :guix: replied to inference

@inference @safiuddinkhan @cyberspook @m0xee @dushman

How would google's edition of GNU/Linux have verified boot but not normal?
elinux.org/images/f/f8/Verifie

puri.sm is even more secure, even neutralizing IME. Here's one of their features.
puri.sm/posts/new-pureboot-fea

inference replied to Iska :emacs_thinking:​ :guix:
@iska @safiuddinkhan @cyberspook @m0xee @dushman

"Distributions like PureOS are not particularly secure. They are mostly a reskinned Debian and do not include substantial hardening."

https://madaidans-insecurities.github.io/linux-phones.html
Iska :emacs_thinking:​ :guix: replied to inference

@inference @safiuddinkhan @cyberspook @m0xee @dushman

I'm talking about the hardware there. You can install a hardened OS on it, including ChromiumOS or Android-x86.

inference replied to Iska :emacs_thinking:​ :guix:
@iska @safiuddinkhan @cyberspook @m0xee @dushman Chromium OS doesn't have verified boot, only Chrome OS does.

There is no system outside of ARM phones and tablets which take advantage of a HSM or TEE to allow storing OS signing keys (not the same as bootloader/kernel keys, which is secure boot).
Iska :emacs_thinking:​ :guix: replied to inference

@inference @safiuddinkhan @cyberspook @m0xee @dushman

You can boot chromeos there too, but it has at least one backdoor so you're not safe.
google.com/intl/en/chromebook/
(section 4)

chromebooks are bad too.
theregister.com/2019/08/22/buy

Would you trust your house to a thief?

I've already mentioned an article about verified boot on normal GNU/Linux.

MattZ replied to Iska :emacs_thinking:​ :guix:
Computer Security is an unachievable goal, the most reasonable thing to do is not connect your computer to internet 24/7.
Iska :emacs_thinking:​ :guix: replied to MattZ

@colinsmatt11 @safiuddinkhan @inference @dushman @m0xee @cyberspook

Besides you need hardware access or hard fuckups to compromise boot.

Guix with LUKS and SELinux is 99.99% secure, with simplicity and freedom; and definitely better than proprietary jails.

m0xEE replied to inference

@inference @safiuddinkhan @cyberspook @iska @dushman You may be right, but this article is just bad. Hardening in the OS is not good enough so we can just install Android 🤷
Hardware switches are not good enough because we can just use software airplane mode 🤦
Having modem on a separate board so that we can physically disconnect it is not good enough because we can just ask SoC to do it (and trust it) 🤯
It doesn't mean that Liberm5 is perfect, but these points are just awful!

Go Up